Cisco Archives – Gridinsoft Blog Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Thu, 30 May 2024 21:33:59 +0000 en-US hourly 1 https://wordpress.org/?v=62294 200474804 Cisco Talos Warns of a Massive Brute Force Wave https://gridinsoft.com/blogs/cisco-warns-massive-brute-force/ https://gridinsoft.com/blogs/cisco-warns-massive-brute-force/#respond Thu, 18 Apr 2024 11:58:46 +0000 https://gridinsoft.com/blogs/?p=21432 The Cisco Talos security team has released information about a new campaign of attackers targeting mass account compromise. Specialists have recorded countless login attempts to gain unauthorized access to web infrastructure, particularly SSH servers, VPN clients and web applications. This is alarming and frightening for both big companies and home users. Cisco Reports Massive Brute… Continue reading Cisco Talos Warns of a Massive Brute Force Wave

The post Cisco Talos Warns of a Massive Brute Force Wave appeared first on Gridinsoft Blog.

]]>
The Cisco Talos security team has released information about a new campaign of attackers targeting mass account compromise. Specialists have recorded countless login attempts to gain unauthorized access to web infrastructure, particularly SSH servers, VPN clients and web applications. This is alarming and frightening for both big companies and home users.

Cisco Reports Massive Brute Force Attack

The first observed attacks date back to March 18 of this year. Cisco announced the last warning of this campaign three weeks ago. At that time it was a “password spray” method targeting VPN access.

During the attacks, adversaries attempted hundreds of thousands or even millions of failed authentication attempts. Some login attempts ended with the error “Unable to complete connection. Cisco Secure Desktop not installed on the client” error. Specialists also record problems with hostscan token allocation<.

Cisco error
Denial of service due to the number of requests

Attackers use a wide range of credentials, from commonly known usernames to organization-specific credentials. Researchers on GitHub list more than 2,000 usernames and nearly 100 passwords involved in the attacks, as well as approximately 4,000 IP addresses from which connections were made. The addresses listed come mostly from TOR exit nodes and other anonymizing tunnels and proxies. Experts note that the attacks are non-targeted and opportunistic in nature, not focused on any region or industry.

Depending on the target environment, successful attacks of this type may lead to unauthorized network access, account lockouts, or denial-of-service conditions,“Talos

According to research, attackers target the following resources:

  • Draytek
  • Checkpoint VPN
  • Cisco Secure Firewall VPN
  • Fortinet VPN
  • RD Web Services
  • SonicWall VPN
  • Mikrotik
  • Ubiquiti

The following code displays a log entry where an unauthorized user attempted to access the Cisco VPN service, but their login was unsuccessful.

{"timestamp": "2023-01-0311:38:35. 000Z", "user": "unknown", "account": "*****", "result" : "FAILED_BAD_LOGIN" ,
"source_ip": "62.204.41.146", "service": "vpn", "geoip_country_code": "RU", "geoip_country_name": "Russia", "geoip_organization": "Horizon LLC", "source_data":"<166>Jan 03 2023 05:38:35 FW : %ASA-6-: Group User <*****> IP <62.204.41.146> Authentication: rejected, Session Type: WebVPN. "}
{"timestamp": "2023-01-06T11:03:59. 000Z", "user": "TestUser", "account" : "test", "result": "FAILED_BAD_LOGIN", "source_ip": "179.60.147.152", "service": "vpn", "geoip_city": "Moscow", "geoip_country_code" : "RU" , "geoip_country_name" : "Russia", "geoip_organization": "Flyservers S.A.", "geoip_region": "MOW", "source_data" : "<166>Jan 06 2023 05:03:59 FW-%ASA-6-: "}

Potential Risks

Penetrating corporate networks through VPNs or servers can give attackers access to sensitive information such as personal data. Also, through unauthorized access to VPNs, attackers can distribute malware within a company’s network, which can lead to infections of workstations and servers. Additionally, unauthorized access eventually leads to data leaks. This is unpleasant on it own, and also violates regulatory requirements such as GDPR or HIPAA, resulting in severe fines and legal consequences for the company. The number of such attacks has been increasing over time, and this trend is expected to continue.

Cisco Protection Recommendations

Cisco has provided a series of recommendations to strengthen security and prevent successful cyberattacks. These suggestions are part of the described account hacking campaign. Here are the key recommendations for organizations to minimize risk and better protect their information systems:

  • Detailed logging should be configured, with logs going specifically to a remote syslog server. This allows administrators to recognize and correlate attacks across different points in the network, which is critical for rapid incident response.
  • It is recommended that default remote access accounts be sinkholed. Access to these accounts should be limited or completely denied if they use the DefaultRAGroup and DefaultWEBVPNGroup profiles.
  • It is recommended to use blocking lists to prevent access to VPN services from IP addresses known to be malicious.
  • Configuring interface-level access lists and control planes will help filter out unverified public IP addresses and prevent them from being able to initiate remote VPN sessions.
  • The shun command in Cisco IOS allows the administrator to block malicious traffic from specific IP addresses, which prevents further attack attempts.

Cisco Talos Warns of a Massive Brute Force Wave

The post Cisco Talos Warns of a Massive Brute Force Wave appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/cisco-warns-massive-brute-force/feed/ 0 21432
Cisco Unity Connection Vulnerability Enables Root Access https://gridinsoft.com/blogs/cisco-unity-connection-vulnerability-root-access/ https://gridinsoft.com/blogs/cisco-unity-connection-vulnerability-root-access/#respond Fri, 12 Jan 2024 13:30:58 +0000 https://gridinsoft.com/blogs/?p=18994 Cisco has recently addressed a significant security vulnerabilit in its Unity Connection softwarey, identified as CVE-2024-20272. This flaw poses a critical risk as it allows unauthenticated attackers to gain root privileges on affected systems. The update is already available and is recommended for installation as soon as possible. Vulnerability in Cisco Unity Connection Allows for… Continue reading Cisco Unity Connection Vulnerability Enables Root Access

The post Cisco Unity Connection Vulnerability Enables Root Access appeared first on Gridinsoft Blog.

]]>
Cisco has recently addressed a significant security vulnerabilit in its Unity Connection softwarey, identified as CVE-2024-20272. This flaw poses a critical risk as it allows unauthenticated attackers to gain root privileges on affected systems. The update is already available and is recommended for installation as soon as possible.

Vulnerability in Cisco Unity Connection Allows for Root Access

The Unity Connection vulnerability, coded as CVE-2024-20272, is an arbitrary file upload bug discovered within the web-based management interface of Cisco Unity Connection. The vulnerability is primarily due to insufficient authentication in a specific API and improper validation of user-supplied data. Attackers could exploit this flaw by uploading arbitrary files to an affected system. This could enable them to store malicious files on the system, execute arbitrary commands and elevate their privileges to root level.

The vulnerability affects certain versions of the Cisco Unity Connection software (12.5 and earlier, and 14). But with version 15 not being susceptible. While there are no reports of the vulnerability being maliciously exploited in the wild, the seriousness of the flaw necessitates prompt action by users to apply the updates.

What is Unity Connection?

Cisco Unity Connection is a fully virtualized messaging and voicemail solution, widely used across various platforms. Those are email inboxes, web browsers, Cisco Jabber, smartphones, and tablets. The vulnerability’s critical nature stems from its potential impact on these systems, especially considering that Cisco solutions overall are frequently targeted by attackers.

Patch

Cisco has released software updates to mitigate this vulnerability for the affected versions of the Unity Connection software. The fixed versions are 12.5.1.19017-4 for version 12.5 and earlier, and 14.0.1.14006-5 for version 14.

Cisco Unity Connection Release First Fixed Release
12.5 and earlier 12.5.1.19017-4
14 14.0.1.14006-5
15 Not vulnerable

Additionally, Cisco patched ten medium-severity security vulnerabilities in multiple products. These issues could enable attackers to escalate privileges, launch cross-site scripting (XSS) attacks, and perform command injections. Among these, a command injection vulnerability identified as CVE-2024-20287 in the web-based management interface of Cisco’s WAP371 Wireless Access Point also drew attention. However, this particular vulnerability won’t be patched by Cisco as the WAP371 device reached its end-of-life in June 2019.

Users of Cisco’s products, particularly those in IT and network management, are advised to stay informed about these updates. They should apply the necessary patches to ensure the security and integrity of their systems and data.

Cisco Unity Connection Vulnerability Enables Root Access

The post Cisco Unity Connection Vulnerability Enables Root Access appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/cisco-unity-connection-vulnerability-root-access/feed/ 0 18994
Logs of Internal Chats of the Russian Hacker Group Yanluowang Leaked to the Network https://gridinsoft.com/blogs/yanluowang-hacker-group/ https://gridinsoft.com/blogs/yanluowang-hacker-group/#respond Mon, 07 Nov 2022 08:33:08 +0000 https://gridinsoft.com/blogs/?p=11665 Information security experts report a hack of the Yanluowang hacker group, which compromised Cisco this summer. According to experts, internal chats of the group leaked to the network, showing that Yanluowang consists of Russian-speaking members. KELA analysts write that the latest leak contains hack group chats dated January-September 2022, all communication in which took place… Continue reading Logs of Internal Chats of the Russian Hacker Group Yanluowang Leaked to the Network

The post Logs of Internal Chats of the Russian Hacker Group Yanluowang Leaked to the Network appeared first on Gridinsoft Blog.

]]>
Information security experts report a hack of the Yanluowang hacker group, which compromised Cisco this summer. According to experts, internal chats of the group leaked to the network, showing that Yanluowang consists of Russian-speaking members.

KELA analysts write that the latest leak contains hack group chats dated January-September 2022, all communication in which took place in Russian. This is an interesting nuance since initially many believed that Yanluowang was a Chinese hack group. However, some time ago this opinion began to change, since in September the hackers were already associated with Evil Corp.

Researchers say that in chats you can find conversations of group members known under the nicknames saint, killanas, and stealer. It is believed that the saint leads the group, while killanas is engaged in coding. Moreover, according to some sources, it has already been possible to calculate the pseudonyms of the attackers on various hack forums, and according to other sources, Yanluowang members have already been completely doxed, including their real names, social media accounts, and other details.

Yanluowang hacker group

Here is what the experts have already managed to find among the “merged” data:

  1. according to the chat logs, Yanluowang has existed since at least the fall of 2021, and in one of the conversations saint mentions the Nyx malware, which seems to be also used by his team;
  2. from the conversation between the stealer and the tester under the nickname felix, we can conclude that the version of the Yanluowang malware for ESXi is already in development;
  3. On May 14, 2022, saint revealed that the group “earned” one million US dollars in 2022 (it’s not clear if this was the total amount of buyouts or the largest of them).

In addition to the logs, you can even find screenshots on the network containing the source code for the decryption procedure for the Yanluowang ransomware.

Yanluowang hacker group

According to Risky Business, this leak appears to be the result of a major hack. Unknown individuals not only took control of the Matrix internal chat server used by the group but also compromised the Yanluowang “leak site” on the dark web. Through the defacement of this resource, the hackers demonstrated their skills, and they posted a new blog entry on the topic. The post contained links to Telegram and Twitch accounts, where links to stolen chat logs were posted.

Yanluowang hacker group

It is currently unclear who was behind the hack, but there are several theories, ranging from the classic version that it was a disgruntled former member of the group or an unknown information security specialist, and ending with the exotic version that it was the revenge of the Cisco security service for the hack that occurred in May.

Logs of Internal Chats of the Russian Hacker Group Yanluowang Leaked to the Network

Nevertheless, experts are confident that after such a large-scale compromise, Yanluowang operations can be put an end to, as other cybercriminals are unlikely to want to deal with a compromised group whose operational security is in question.

The post Logs of Internal Chats of the Russian Hacker Group Yanluowang Leaked to the Network appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/yanluowang-hacker-group/feed/ 0 11665
Ransomware publishes data stolen from Cisco https://gridinsoft.com/blogs/data-stolen-from-cisco/ https://gridinsoft.com/blogs/data-stolen-from-cisco/#comments Wed, 14 Sep 2022 12:24:55 +0000 https://gridinsoft.com/blogs/?p=10566 The Yanluowang hack group published data stolen from Cisco back in May 2022. Cisco representatives acknowledged that the data leak took place, but still insist that the incident did not affect the company’s business in any way. Let me remind you that last month, Cisco representatives confirmed that back in May, the company’s corporate network… Continue reading Ransomware publishes data stolen from Cisco

The post Ransomware publishes data stolen from Cisco appeared first on Gridinsoft Blog.

]]>
The Yanluowang hack group published data stolen from Cisco back in May 2022. Cisco representatives acknowledged that the data leak took place, but still insist that the incident did not affect the company’s business in any way.

Let me remind you that last month, Cisco representatives confirmed that back in May, the company’s corporate network was hacked by the Yanluowang extortionist group. Later, the attackers tried to extort money from Cisco, otherwise threatening to publish the data stolen during the attack in the public domain.

Then the company emphasized that the hackers did not steal anything serious at all, they only managed to steal non-confidential data from the Box folder associated with the hacked employee account.

The hackers themselves contacted Bleeping Computer and told reporters that they had stolen 2.75 GB of data from the company (approximately 3,100 files), including source codes and secret documents. According to journalists, many of the files were non-disclosure agreements, data dumps and technical documentation.

For example, the attackers gave the publication a redacted version of the agreement and showed a screenshot of the VMware vCenter admin console at the cisco.com URL. The screenshot showed numerous virtual machines, including one called GitLab and used by the Cisco CSIRT.

At the same time, Cisco continued to claim that the company has no evidence that the source code was stolen.

Let me remind you that we also reported that Cisco Hack Is Linked to Russian-Speaking Hackers from Evil Corp.

As Bleeping Computer now reports, Yanluowang members have begun leaking stolen data on the dark web. Against this background, Cisco finally confirmed the data leak, but the company continues to insist that this incident did not affect the business in any way, and the leak of information does not change the initial assessment of the incident.

On September 11, 2022, the attackers who had previously published a list of filenames associated with the incident on the dark web posted the actual contents of the same files in the same location on the dark web. The contents of these files are consistent with what we have identified and disclosed.

Our previous analysis of the incident remains unchanged – we still do not see any impact on our business, including Cisco products or services, sensitive customer data, sensitive employee information, intellectual property, or supply chain processes.Cisco said.

I note that at the end of August, cybersecurity analysts from eSentire published a report in which they presented evidence of a possible connection between the Yanluowang group and the well-known Russian-speaking hack group Evil Corp (UNC2165).

The post Ransomware publishes data stolen from Cisco appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/data-stolen-from-cisco/feed/ 1 10566
Cisco Hack Is Linked to Russian-Speaking Hackers from Evil Corp https://gridinsoft.com/blogs/cisco-hacking/ https://gridinsoft.com/blogs/cisco-hacking/#respond Mon, 05 Sep 2022 13:17:27 +0000 https://gridinsoft.com/blogs/?p=10376 Experts from eSentire established that the infrastructure used to hack Cisco in May 2022 was exploited to compromise an unnamed HR solutions company a month earlier. Researchers believe that malicious actors associated with Evil Corp. are behind these incidents. Let me remind you that we also said that Cisco Won’t Fix an RCE Vulnerability in… Continue reading Cisco Hack Is Linked to Russian-Speaking Hackers from Evil Corp

The post Cisco Hack Is Linked to Russian-Speaking Hackers from Evil Corp appeared first on Gridinsoft Blog.

]]>
Experts from eSentire established that the infrastructure used to hack Cisco in May 2022 was exploited to compromise an unnamed HR solutions company a month earlier.

Researchers believe that malicious actors associated with Evil Corp. are behind these incidents.

Let me remind you that we also said that Cisco Won’t Fix an RCE Vulnerability in Old RV Routers.

Let me remind you that in August 2022, Cisco representatives confirmed that in May, the company’s corporate network was hacked by the Yanluowang extortionist group. Later, the attackers tried to extort money from Cisco, otherwise threatening to publish the data stolen during the attack in the public domain. Then the company emphasized that the hackers managed to steal only non-confidential data from the Box folder associated with the hacked employee account.

eSentire analysts now say that the attack could have been the work of a criminal known as mx1r. It is believed that he is a member of one of the “branches” of the well-known Russian-speaking group Evil Corp (aka UNC2165).

The researchers write that the victim’s network was initially accessed using stolen VPN credentials, and then the attackers used ready-made tools for lateral movement.

With the help of Cobalt Strike, the attackers were able to gain a foothold in the system. They acted quickly from the moment of initial access to the moment when they were able to register their own virtual machine in the victim’s VPN network.the experts say.

Researchers suspect mx1r’s connection with Evil Corp due to the coincidence of a number of attackers’ tactics, Including due to the organization of a kerberoasting attack on the Active Directory service and the use of RDP for promotion in the company’s network.

At the same time, despite these connections, the HiveStrike infrastructure used to organize the attack generally corresponds to the infrastructure of one of the “partners” of the Conti group, which had previously distributed the Hive and Yanluowang ransomware. These hackers eventually published the data stolen from Cisco on their dark web site.

Cisco representatives themselves wrote that the attack was most likely “carried out by an attacker who was previously an initial access broker and had connections with the UNC2447 cybercrime group, the Lapsus$ group, and the Yanluowang ransomware operators.”

These discrepancies don’t seem to bother eSentire analysts in the least:

It seems unlikely (but not impossible) that Conti is providing its infrastructure to Evil Corp. More plausible is that “partner” Evil Corp/UNC2165 may be working with one of Conti’s new subsidiaries. It is also possible that the initial access to the company’s network was provided by a “partner” Evil Corp, but was eventually sold to Hive operators and related entities.

The post Cisco Hack Is Linked to Russian-Speaking Hackers from Evil Corp appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/cisco-hacking/feed/ 0 10376
Cisco Won’t Fix an RCE Vulnerability in Old RV Routers https://gridinsoft.com/blogs/cisco-routers-vulnerability/ https://gridinsoft.com/blogs/cisco-routers-vulnerability/#comments Tue, 21 Jun 2022 13:14:43 +0000 https://gridinsoft.com/blogs/?p=8713 A 9.8/10 RCE Vulnerability in Old Cisco RV Routers Will Not Be Patched Cisco will not patch the zero-day CVE-2022-20825 vulnerability on end-of-life devices. The affected devices are Small Business RV routers (mobile routers for recreational vehicles and boats.) The specific vulnerable models are RV110W Wireless-N VPN Firewall, RV130 VPN Router, RV130W Wireless-N Multifunction VPN… Continue reading Cisco Won’t Fix an RCE Vulnerability in Old RV Routers

The post Cisco Won’t Fix an RCE Vulnerability in Old RV Routers appeared first on Gridinsoft Blog.

]]>
A 9.8/10 RCE Vulnerability in Old Cisco RV Routers Will Not Be Patched

Cisco will not patch the zero-day CVE-2022-20825 vulnerability on end-of-life devices. The affected devices are Small Business RV routers (mobile routers for recreational vehicles and boats.) The specific vulnerable models are RV110W Wireless-N VPN Firewall, RV130 VPN Router, RV130W Wireless-N Multifunction VPN Router, and RV215W Wireless-N VPN Router.

In its advisory, Cisco suggests users switch to newer models that receive all technical support and updates. For those who keep using the good old stuff, the manufacturer shows how to switch off the device remote control since the vulnerability only exists on routers with the remote management interface turned on (not a default config.) Going to Basic Settings => Remote Management and clearing the relevant tick box will be enough to secure the device, although it will lower its convenience level.

It’s no wonder the severity of vulnerability in question is rated 9.8x out of 10. It allows hackers to execute commands remotely bestowed with root privileges after sending a specially tailored request to the device. The lack of user input validation of the HTTP packets puts the four named router models in serious jeopardy

The post Cisco Won’t Fix an RCE Vulnerability in Old RV Routers appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/cisco-routers-vulnerability/feed/ 1 8713
Microsoft Says Over 1,000 Developers Worked on SolarWinds Attack https://gridinsoft.com/blogs/microsoft-says-about-developers-that-worked-on-solarwinds-attack/ https://gridinsoft.com/blogs/microsoft-says-about-developers-that-worked-on-solarwinds-attack/#respond Tue, 16 Feb 2021 16:47:08 +0000 https://blog.gridinsoft.com/?p=5121 In an interview with CBSNews, Microsoft President Brad Smith said the recent attack on SolarWinds was “the largest and most sophisticated he has ever seen.” According to him, the analysis of the hack carried out by the company’s specialists suggests that more than 1,000 developers worked on this attack. At the same time, Smith says… Continue reading Microsoft Says Over 1,000 Developers Worked on SolarWinds Attack

The post Microsoft Says Over 1,000 Developers Worked on SolarWinds Attack appeared first on Gridinsoft Blog.

]]>
In an interview with CBSNews, Microsoft President Brad Smith said the recent attack on SolarWinds was “the largest and most sophisticated he has ever seen.” According to him, the analysis of the hack carried out by the company’s specialists suggests that more than 1,000 developers worked on this attack.

At the same time, Smith says that the attackers rewrote only 4032 lines of code in Orion, which contains millions of lines of code.

Let me remind you that in December 2020 it became known that unknown hackers attacked SolarWinds and infected its Orion platform with malware. Of the 300,000 SolarWinds customers, only 33,000 were using Orion, and the infected version of the platform was installed on approximately 18,000 customers, according to official figures.

As a result, the victims included such giants as Microsoft, Cisco, FireEye, as well as many US government agencies, including the State Department and the National Nuclear Security Administration.

Smith said that more than 500 Microsoft engineers are working on the analysis of this incident, but much more specialists “worked” on the side of the attackers:

When we analysed everything we found at Microsoft, we asked ourselves how many engineers could be working on these attacks? The answer we received was: well, obviously more than a thousand.said Brad Smith.

Since the attack is attributed to a Russian-speaking hack group that cybersecurity experts track under the names StellarParticle (CrowdStrike), UNC2452 (FireEye), and Dark Halo (Volexity), Smith also compared the SolarWinds hack to large-scale attacks on Ukraine, which are also attributed to Russia (although the Russian Federation authorities deny their involvement).

The head of FireEye, Kevin Mandia, also spoke to reporters and explained the recent events.

As it turned out, a compromise was discovered in FireEye almost by accident. The fact is that to remotely log into a company’s VPN, employees need a two-factor authentication code, and their accounts are tied to phone numbers. The FireEye security service accidentally noticed that one of the employees linked two phone numbers to his account.

When this person was called and asked if he really had two numbers or devices, he replied that he had not done anything like that. It turned out that the second number was tied to the account by the attackers.said Kevin Mandia.

Let me remind you that Microsoft says SolarWinds hackers hunted for access to cloud resources.

The post Microsoft Says Over 1,000 Developers Worked on SolarWinds Attack appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/microsoft-says-about-developers-that-worked-on-solarwinds-attack/feed/ 0 5121
Experts discovered SolarLeaks website with data stolen in a recent massive hacker attack https://gridinsoft.com/blogs/experts-discovered-solarleaks-website-with-data-stolen-in-a-recent-massive-hacker-attack/ https://gridinsoft.com/blogs/experts-discovered-solarleaks-website-with-data-stolen-in-a-recent-massive-hacker-attack/#respond Wed, 13 Jan 2021 16:32:49 +0000 https://blog.gridinsoft.com/?p=4981 Bleeping Computer reports the discovery of the SolarLeaks website (solarleaks[.]net), where unidentified individuals claim to be selling data allegedly stolen from SolarWinds, Microsoft, Cisco, and FireEye during a recent supply chain attack. Just to recap, in December 2020, it was revealed that unknown hackers attacked SolarWinds, infecting its Orion platform with malware. Out of the… Continue reading Experts discovered SolarLeaks website with data stolen in a recent massive hacker attack

The post Experts discovered SolarLeaks website with data stolen in a recent massive hacker attack appeared first on Gridinsoft Blog.

]]>
Bleeping Computer reports the discovery of the SolarLeaks website (solarleaks[.]net), where unidentified individuals claim to be selling data allegedly stolen from SolarWinds, Microsoft, Cisco, and FireEye during a recent supply chain attack.

Just to recap, in December 2020, it was revealed that unknown hackers attacked SolarWinds, infecting its Orion platform with malware. Out of the 300,000 SolarWinds customers, only 33,000 were using Orion, and the compromised version of the platform was installed on approximately 18,000 customers’ machines, according to official figures.

As a result, victims included major entities like Microsoft, Cisco, FireEye, as well as numerous US government agencies, including the US Department of State and the National Nuclear Security Administration.

In early January, the FBI, NSA, CISA, and ODNI issued a joint statement indicating that an unnamed APT group of “probably Russian origin” was responsible for the extensive attack. The SolarWinds hack was described by officials as “an attempt to gather intelligence.”

Now, the unknown individuals claim to be ready to sell the following stolen data:

  • $600,000: Microsoft Windows source codes and other data from the company’s repositories (2.6 GB);
  • $500,000: source codes of various Cisco products and an internal bug tracker dump (1.7 GB);
  • $50,000: private red team FireEye tools, source codes, binaries, and documentation (39 MB);
  • $250,000: SolarWinds product source code (including Orion) and customer portal dump (612 MB).

The hackers offer to sell all this data in bulk for one million dollars. Additionally, the site operators mimic the well-known hack group The Shadow Brokers, stating that initially, the stolen information will be sold in batches, and later, it will be freely published in the public domain.

It’s noteworthy that while Microsoft representatives previously confirmed the possibility of source code theft, Cisco announced having no evidence of the theft of its intellectual property. The solarleaks[.]net domain is registered through the NJALLA registrar, which is popular with hackers. Attempting to check WHOIS information results in the message “You can get no info”.

Experts discovered the SolarLeaks website

It remains unknown whether the site operators possess the data they claim to have, or if SolarLeaks is an ambitious scam attempt. Journalists attempted to contact the attackers using the email address provided on the website, but it was found to be nonexistent.

Experts discovered the SolarLeaks website

The post Experts discovered SolarLeaks website with data stolen in a recent massive hacker attack appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/experts-discovered-solarleaks-website-with-data-stolen-in-a-recent-massive-hacker-attack/feed/ 0 4981
Microsoft says SolarWinds hackers hunted for access to cloud resources https://gridinsoft.com/blogs/microsoft-says-solarwinds-hackers-hunted-for-access-to-cloud-resources/ https://gridinsoft.com/blogs/microsoft-says-solarwinds-hackers-hunted-for-access-to-cloud-resources/#respond Wed, 30 Dec 2020 16:40:02 +0000 https://blog.gridinsoft.com/?p=4906 Microsoft continues to investigate the supply chain attack that SolarWinds and its customers have suffered this year. Microsoft analysts reported that SolarWinds hackers were hunting for access to cloud resources. Let me remind you that unknown hackers attacked SolarWinds and infected its Orion platform with malware. Among the victims were such giants as Microsoft, Cisco,… Continue reading Microsoft says SolarWinds hackers hunted for access to cloud resources

The post Microsoft says SolarWinds hackers hunted for access to cloud resources appeared first on Gridinsoft Blog.

]]>
Microsoft continues to investigate the supply chain attack that SolarWinds and its customers have suffered this year. Microsoft analysts reported that SolarWinds hackers were hunting for access to cloud resources.

Let me remind you that unknown hackers attacked SolarWinds and infected its Orion platform with malware.

Among the victims were such giants as Microsoft, Cisco, FireEye, as well as many US government agencies, including the State Department and the National Nuclear Security Administration.

Let me remind you that SolarWinds was hacked because its credentials were publicly available on GitHub.

A new blog post on Microsoft 365 Defender does not contain new technical details, but experts write that they seem to have identified the ultimate goal of the hackers: after infiltrating companies ‘networks using the SUNBURST (or Solorigate) backdoor, hackers sought to gain access to victims’ cloud resources.

SolarWinds hackers cloud resources

This attack is an advanced and stealthy campaign with the ability to blend in, which could allow attackers to stay under the radar for long periods of time before being detected.

With such a massive initial foothold, attackers could choose specific organizations in which they want to continue working (while others remained a fallback, available at any time, as long as the backdoor was installed and not detected).the researchers write.

Microsoft experts note that the end goal of the hackers, apparently, was the creation of SAML (Security Assertion Markup Language) tokens in order to forge authentication tokens that provide access to cloud resources. Thus, hackers were able to extract emails from the accounts of interest.

Microsoft detailed the tactics that attackers used to gain access to cloud resources of their victims:

  • Using a compromised SolarWinds DLL to activate a backdoor that allowed remote control and operation of the device;
  • Using a backdoor to steal credentials, escalate privileges, and sideways to create valid SAML tokens in one of two ways: steal the SAML signing certificate, add or modify existing federation trusts.
  • Using generated SAML tokens to access cloud resources and perform actions leading to theft of emails and retain access to the cloud.

Let me also remind you that SolarWinds hack allowed Russian attackers to infiltrated dozens of US Treasury Department mailboxes.

The post Microsoft says SolarWinds hackers hunted for access to cloud resources appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/microsoft-says-solarwinds-hackers-hunted-for-access-to-cloud-resources/feed/ 0 4906